To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

The WannaCry ransomware first appeared in May 2017 and infected entities located in over 150 countries.

The top three countries still infected by WannaCry are China, Indonesia, and Vietnam.

The WannaCry ransomware made its first occurrence in May 2017, infecting hundreds of thousands of computers, across 150 countries. Like other traditional ransomware variants, WannaCry encrypts files on the system’s hard drive and demands huge sums of ransom in exchange for decrypting data.

Experts recently discovered that even after 18 months, WannaCry continues to be a persistent threat and lurk on vulnerable computers across the globe. Earlier this year, security researchers from Kryptos Logic registered a domain that acted as a kill switch for the ransomware component of the infection.

If the infection was connected to the kill switch domain, then the ransomware component would not activate. However, the ransomware would continue to run silently in the background, while routinely connecting to the kill switch domain to ensure if it was still active.

The kill switch domain

On December 21, 2018, Jamie Hankins, the head of security and threat intelligence research at Kryptos Logic took to Twitter to reveal the details of WannaCry infections, such as the number of connections and unique IP addresses that continue to connect to the kill switch domain.

Even though this kill switch domain is now hosted by Cloudflare in order to provide high availability and protection from DDoS attacks, they still have access to the statistics regarding this domain, Hankins told BleepingComputer.

WannaCry’s current activities

Hankins posted WannaCry statistics on Twitter which states the following:

The kill switch domain received approximately 17 million beacons or connections per week.

The millions of connections came from nearly 630,000 unique IP addresses located in 194 different countries, in just one week.

The top ten countries still infected by WannCry are China, Indonesia, Vietnam, India, Russia, Venezuela, Thailand, Ukraine, Taiwan, and Brazil.

The number of connections is less in the weekend when compared to weekdays, likely because most users are at work and online when at work.

“The UK consists of approximately 0.15% of the total connections with the USA coming in at 1.35% for a single day's statistics. These numbers can be skewed by DHCP churn over longer time periods,” Hankins told BleepingComputer.

TellTale Service

A new service named “TellTale” was recently deployed. It notifies organizations about WannaCry ransomware infections, as well as infections of other malware and ransomware variants. This service was released by the Kryptos Logic in April 2018. TellTale service also allows organizations to monitor their range of IP addresses for known infections.

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.